General
-
Target
PRODUCT SPEC.zip
-
Size
562KB
-
Sample
211020-1c6pdaaecl
-
MD5
8a00db6216627505fab4cd708beb6f8e
-
SHA1
0a8a0a5c26b23559129f52462550f77c120532ca
-
SHA256
d19d3df61c00a397ad513d94b882eed5de7a394e9ee1d1a7ee143360b5302c85
-
SHA512
06d74659245363215c7c839aa803cfa5a8580d208c7b623ebada7aad1e164d0e54b66f9e3c09b8056a90689fd722812593204afe118b6e4322c903f559c7ce6a
Static task
static1
Behavioral task
behavioral1
Sample
PRODUCT SPEC.xll.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
PRODUCT SPEC.xll.dll
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
PRODUCT SPECIFICATION.xll.dll
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
PRODUCT SPECIFICATION.xll.dll
Resource
win10-en-20210920
Malware Config
Extracted
Extracted
xloader
2.5
qcrn
http://www.visiblegrowthagency.com/qcrn/
tcskzs.com
duidwiplan.com
weddingdresseslongsleeve.com
anynft.art
thechristmaslightingshop.com
dhw.digital
elninofix.com
celinailsandspanyc.com
pvparkinginc.com
advertisingamanda.info
56shang.net
meja13pkv.art
morefuneducation.com
42dgj.xyz
fluffybooru.com
cryptoislands.online
hackinghoyt.com
rpwxw.com
dgltqd.com
codercraftsman.com
airxshop.com
mcgibbon.store
juliettehouse.com
septemberstockevent200.com
bumiths.com
margosound.com
theonequestionshowpodcast.com
info-dss.com
thewellcheck.com
radiatower.com
duckfuid.com
rzadkagainst.quest
safeonline.xyz
mydiscriminate.xyz
tmjltd.com
narying.com
loefflerforgovernor.com
historicwdm.com
brooklynprochoice.com
trykair.com
allredtactical.online
seize.store
primelinedistanc.ltd
blacktailcustoms.com
buyalbuterol.website
thezeone.xyz
bloonsea-surprise.com
learningcenterps.com
tebeli.com
groupswa.com
foodl.online
le508.com
cochildprotect.com
tangerinebin.com
sexyhairstarstatus.com
roverboss.com
wwiibyday.com
ice2art.com
gpmcinc.com
pasticceriapalma.com
ncgf11.xyz
frenchy-pharmacy.com
lcloud-accounts.info
pinata.website
Targets
-
-
Target
PRODUCT SPEC.xll
-
Size
637KB
-
MD5
53914aa37db415d0f2c0e7f3cb1682ce
-
SHA1
5dfb5eb947abb723d86047ff2169bac75748eaa3
-
SHA256
4f3ffa5981cca7a94a4eed697119e34157490d43ac806fb16ac5c6d237824817
-
SHA512
2c2beb0bc6af799aa204dbef5cac67e865bbc08c5abfc5f21176fccdbd8a479649a7262956bf6f8546983fab141a1e954ec030bb2a18ff792cd785970c8f94d4
Score1/10 -
-
-
Target
PRODUCT SPECIFICATION.xll
-
Size
553KB
-
MD5
9f74a93c7a015aefdf3a5f63027809e2
-
SHA1
182f6a8da5ed8e220a1896b4d45aac220db7dcf3
-
SHA256
9dedd6b7ed7d6c47bb7a7af88b925430bfb2c7d5f377a4d96c1af7b9cb62707d
-
SHA512
1d2035e050a817ecf81a27ccc936460359304517f019764be888ce5f9c9228f253278dedffc1afdc15b6615224b0c3f7cccada33cf54fd93386a507bffa5f055
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-